Security in the Cloud
A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking. His company looks like a managed security services firm, except they are latched onto Gartner's security in the cloud idea. That is derived from MCI's (now Verizon's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud!
The No proponent is Bruce Schneier, CTO of Counterpane. He is not exactly saying no to the idea though:
[A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both...
I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in-depth beats a single point of failure, and security in the cloud is only part of a layered approach.
So perhaps the argument should have been framed "security only in the cloud"? In that respect, Bruce would obviously disagree because (1) it is a bad idea, due to the security necessity of layered defenses; and (2) as a MSSP, Counterpane would lose business. Counterpane will lose business anyway, since ISPs like Verizon, Sprint, and at&t are offering cloud-based security services. Mr. Miller foolishly favors the abolition of end-user , or "CPE" (Customer Premise Equipment) security:
The bottom line is that the superior protection, economics and speed of deployment of security in the cloud will further marginalize CPE-based managed security. Large carriers will embrace security in the cloud and will obviate the need for CPE systems.
This statement demonstrates Mr. Miller has no concept of security principles.
In any case, I see fewer ISPs offering unfiltered, "clean" pipes, even though the term "clean" seems at odds with carrying "dirty" DoS traffic, spam, and the like. ISPs are already filtering common Microsoft Windows ports. This trend will only continue.
The No proponent is Bruce Schneier, CTO of Counterpane. He is not exactly saying no to the idea though:
[A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both...
I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in-depth beats a single point of failure, and security in the cloud is only part of a layered approach.
So perhaps the argument should have been framed "security only in the cloud"? In that respect, Bruce would obviously disagree because (1) it is a bad idea, due to the security necessity of layered defenses; and (2) as a MSSP, Counterpane would lose business. Counterpane will lose business anyway, since ISPs like Verizon, Sprint, and at&t are offering cloud-based security services. Mr. Miller foolishly favors the abolition of end-user , or "CPE" (Customer Premise Equipment) security:
The bottom line is that the superior protection, economics and speed of deployment of security in the cloud will further marginalize CPE-based managed security. Large carriers will embrace security in the cloud and will obviate the need for CPE systems.
This statement demonstrates Mr. Miller has no concept of security principles.
In any case, I see fewer ISPs offering unfiltered, "clean" pipes, even though the term "clean" seems at odds with carrying "dirty" DoS traffic, spam, and the like. ISPs are already filtering common Microsoft Windows ports. This trend will only continue.
Comments
I'm currently working for a major telco in Network Security. We are completely in bed with Microsoft (at least with my group). The IDSes are not tuned. Our signatures are mostly canned vendor signatures. We just lost one of our team to NEC because he was being underutilized. There are power politics from the systems admin group who maintain our servers which I find abhorrent as a former systems admin. Our migration to a reserved private network has been difficult and less than flawless in execution. In short, it's a miracle we are able to do our jobs and find any security threats to our "clients". Just because the telcos say they are doing X doesn't mean they are executing it perfectly or even competently. Now admittedly, I am a small cog in a very big wheel, but Bruce will probably have a secure job for some time to come the way things are going.
Sincerely,
John
I forgot to mention that I do not think that security in the cloud will be done well, or in a manner that addresses all of a customer's concerns. I only think that services with that label are being offered and will continue to be offered. Hence, the need to continue to do premise security -- which is why Bruce is right and Brad is wrong.
Thanx